Linux System Management: security integration between LDAP and NetApp Storage

Many data centers create more advanced file sharing on network file systems. This process requires user account information verification. If you are using a Linux system, you can integrate NetApp storage with LDAP to enhance security.

Most of the stored permission control can be integrated with Microsoft's Active Directory authorization, but it is not easy to configure Lightweight Directory Access Protocol (LDAP) Integration for the Linux system.

Secure File Sharing requires user authorization and verification, as required by High-level data sharing and archiving projects. If a Linux user needs to access these shares, the storage device must first identify these Linux user accounts. In addition to the Active Directory, you can also use LDAP integration, but the configuration of LDAP is complicated. The good news is that NetAPP's storage supports LDAP server verification integration. Next, you can set file access permissions on the storage, just as you do on the local Linux File Server.

Start to configure NetAPP storage and LDAP integration. Use SSH to log on to the command line mode stored in NetAPP. Enter the priv set advanced command, which allows you to set all required security parameters. Then, enter options ldap to view the current settings (you can also perform these operations on the browser webpage ):

 
 

  
  
ams5-fas2240-A*> options ldap 
  
  
ldap.ADdomain 
  
  
ldap.base dc=example,dc=com 
  
  
ldap.base.group 
  
  
ldap.base.netgroup 
  
  
ldap.base.passwd 
  
  
ldap.enable on 
  
  
ldap.minimum_bind_level anonymous 
  
  
ldap.name 
  
  
ldap.nssmap.attribute.gecos gecos 
  
  
ldap.nssmap.attribute.gidNumber gidNumber 
  
  
ldap.nssmap.attribute.groupname cn 
  
  
ldap.nssmap.attribute.homeDirectory homeDirectory 
  
  
ldap.nssmap.attribute.loginShell loginShell 
  
  
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup 
  
  
ldap.nssmap.attribute.memberUid memberUid 
  
  
ldap.nssmap.attribute.netgroupname cn 
  
  
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple 
  
  
ldap.nssmap.attribute.uid uid 
  
  
ldap.nssmap.attribute.uidNumber uidNumber 
  
  
ldap.nssmap.attribute.userPassword userPassword 
  
  
ldap.nssmap.objectClass.nisNetgroup nisNetgroup 
  
  
ldap.nssmap.objectClass.posixAccount posixAccount 
  
  
ldap.nssmap.objectClass.posixGroup posixGroup 
  
  
ldap.passwd ****** 
  
  
ldap.port 389 
  
  
ldap.servers ut01.example.local 
  
  
ldap.servers.preferred ut01.example.local 
  
  
ldap.ssl.enable off 
  
  
ldap.timeout 20 
  
  
ldap.usermap.attribute.unixaccount unixaccount 
  
  
ldap.usermap.attribute.windowsaccount windowsaccount 
  
  
ldap.usermap.base 
  
  
ldap.usermap.enable off 
 
 

If any parameter settings are incorrect, you can use the options ldap. base Command to set the correct search domain:

 
 

  
  
ams5-fas2240-A*> options ldap.base dc=commerce-hub,dc=local 
 
 

After setting the search domain through the command, you need to obtain information from the LDAP directory service. The getXXbyYY command shows how the system verifies the arnaud account:

 
 

  
  
ams5-fas2240-A*> getXXbyYY getpwbyname_r arnaud 
  
  
pw_name = arnaud 
  
  
pw_passwd = {{******}} 
  
  
pw_uid = 1002, pw_gid = 100 
  
  
pw_gecos = 
  
  
pw_dir = /home/arnaud 
  
  
pw_shell = /bin/bash 
  
  
ams5-fas2240-A*> getXXbyYY getpwbyname_r linda 
  
  
pw_name = linda 
  
  
pw_passwd = {{******}} 
  
  
pw_uid = 1001, pw_gid = 100 
  
  
pw_gecos = 
  
  
pw_dir = /home/linda 
  
  
pw_shell = /bin/bash 
 
 

After the user account information sent from the LDAP server is verified, it will ensure that it works properly at all levels. To modify the configuration information of the nsswitch. conf file, you must have the read and write permissions. Use the file editor to open the/etc/nsswitch. conf file. The file should contain the following lines:

 
 

  
  
ams5-fas2240-B> wrfile /etc/nsswitch.conf 
  
  
hosts: files dns nis 
  
  
passwd: ldap files nis 
  
  
netgroup: ldap files nis 
  
  
group: ldap files nis 
  
  
shadow: files nis 
 
 

Now, the storage device can obtain user information through the LDAP server. In this way, after NetApp storage is integrated with the LDAP server user verification, the permission settings shared by the Network File System (NFS) can be normally controlled. You can use the options nfs. v4.acl. enable command to switch the NFSv4 access control list. You can also apply the Linux system acl to the NetApp storage, so that the storage can be more like the Linux File directory, with the corresponding permissions:

 
 

  
  
ams5-fas2240-B> options nfs.v4.acl.enable on 
 
 

Changes to the nfs. v4.acl. enable option affect all the members in the high availability configuration in occupied mode. Make sure that the modification parameters are consistent with the member permissions in the high-availability pairing.

NetApp storage is now fully integrated with the Linux environment, and administrators can use it as a local Linux File System.